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The  Air  Force’s  decision  to  stand  up 
TWenty-fourth  Air  Force  under  Air 
Force  Space  Command  creates  an  op¬ 
portunity  to  scrutinize  existing  network 
warfare  constructs  with  the  goal  of  ensuring 
that  network  warfare  operations  carry  out 
the  Air  Force’s  stated  mission:  "to  fly,  fight, 
and  win  ...  in  air,  space,  and  cyberspace.”1 
Such  a  sweeping  review  would  involve  a 
significant  number  of  organizations  inside 
and  outside  the  Air  Force,  encompassing 
discussions  of  policy,  funding  priorities, 
personnel,  and  cross-service  coordination, 
to  name  a  few.  This  article  does  not  attempt 
to  address  all  of  the  complex  issues  sur¬ 
rounding  cyberspace  operations;  rather,  it 
examines  the  most  visible  component  of 
cyberspace  warfare— network  defense 
(NetD). 

Since  1992  the  Air  Force  has  monitored 
its  networks  and  responded  to  malicious 
network  events.  As  the  service  has  matured 
its  ability  to  command  and  control  its  net¬ 
works,  some  operational  principles  have 
unintentionally  blended  NetD  and  network 
operations  (NetOps).  This  article  proposes 
new  operational  constructs  that  will  force  a 
healthy  distinction  between  network  war¬ 
fare— particularly  NetD— and  NetOps.  Cyber 
targeting,  the  first  proposed  construct,  em¬ 
phasizes  the  need  to  proactively  find,  fix, 
track,  and  target  an  adversary.  Cyber  target¬ 


ing  operations  can  ensure  that  mission- 
critical  systems  or  even  network  paths  re¬ 
main  free  of  adversaries.  The  second 
construct,  cyber  engagement,  is  a  collection 
of  responses  specifically  designed  to  affect 
an  identified  intruder.  Current  NetD  con¬ 
structs  and  cyber  targeting  enable  cyber  en¬ 
gagement  operations.  Finally,  we  must 
closely  coordinate  both  targeting  and  en¬ 
gagement  operations  with  combatant  com¬ 
mands  (COCOM)  and  other  national  agency 
operations.  Both  cyber  targeting  and  cyber 
engagement  induce  a  robust  contrast  be¬ 
tween  maintenance  of  the  network  and  de¬ 
fense  of  the  network.  Making  such  a  dis¬ 
tinction  and  employing  the  proposed 
constructs  should  result  in  more  effective 
NetD  operations. 

Setting  the  Stage  for  Change 

The  Air  Force  has  been  discriminating  in 
its  definitions  of  NetOps  and  NetD,  the  for¬ 
mer  providing  "effective,  efficient,  secure, 
and  reliable  information  network  services 
used  in  critical  Department  of  Defense 
(DOD)  and  Air  Force  communications  and 
information  processes”  and  the  latter 
"employfing]  .  .  .  network-based  capabilities 
to  defend  friendly  information  resident  in 
or  transiting  through  networks  against  ad¬ 
versary  efforts  to  destroy,  disrupt,  corrupt, 
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or  usurp  it.  NetD  can  be  viewed  as  plan¬ 
ning,  directing,  and  executing  actions  to 
prevent  unauthorized  activity  in  defense  of 
Air  Force  information  systems  and  net¬ 
works  and  for  planning,  directing,  and  ex¬ 
ecuting  responses  to  recover  from  un¬ 
authorized  activity  should  it  occur.”2  The 
fact  that  the  joint  community  does  not  have 
a  term  to  describe  what  the  Air  Force  calls 
NetOps  means  that  it  considers  NetOps  ei¬ 
ther  a  subset  of  NetD  or  simply  a  mainte¬ 
nance  function  that  does  not  warrant  dis¬ 
cussion  in  a  joint  doctrine  publication.3  Due 
to  the  differences  in  joint  and  Air  Force  doc¬ 
trine,  we  suggest  simplified  versions  of 
NetD  and  NetOps  so  that  the  reader  can  im¬ 
mediately  recognize  each  operation's  re¬ 
sponsibilities  and  priorities: 

•  network  warfare  operations/ NetD: 
operations  that  seek  to  produce  de¬ 
sired  effects  against  an  adversary  tac¬ 
tically,  operationally,  and  strategi¬ 
cally.  These  operations,  which  require 
planning  and  intelligence  support, 
can  be  reactive  or  proactive.  Most  im¬ 
portantly,  NetD  operations  consider 
the  discovery  of  an  adversary  not  just 
a  threat  but  an  opportunity  for  opera¬ 
tional  engagement. 

•  NetOps:  operations  in  which  the  rnain- 
tainer  primarily  acts  upon  the  network 
to  provide  reliable  and  secure  network 
services.  In  reality  an  adversary  who 
disrupts  operations  is  no  worse  than  a 
hardware  failure  since  the  goal  in¬ 
volves  maintaining  availability  and 
performance  requirements.  Just  as  we 
can  replace  hardware,  so  can  we  re¬ 
build  a  compromised  computer. 

We  contend  that  the  Air  Force  does  not 
actually  conduct  NetD  operations  as  de¬ 
fined  above.  We  support  this  claim  by  ex¬ 
amining  two  principles  that  lie  at  the  core 
of  the  service’s  current  approach  to  NetD 
and  that  keep  the  Air  Force  reactive,  thus 
weakening  its  ability  to  defend  the  net¬ 
work  effectively. 


Principle  1 :  Detecting  the  Adversary 
Is  Paramount 

This  principle,  the  foundation  upon  which 
we  have  built  most  traditional  NetD,  con¬ 
sumes  the  bulk  of  the  Air  Force's  NetD  re¬ 
sources.  The  service  relies  on  real-time 
monitoring  and  emphasizes  hardened  net¬ 
work  perimeters  to  detect  enemy  activity. 
However,  its  motivation  for  doing  so  is  of 
great  importance.  The  Air  Force  wishes  to 
detect  the  intruder  or  attacker,  not  to  take 
action  against  him  but  to  find  and  fix  a  se¬ 
curity  problem.  The  situation  is  analogous 
to  how  a  security  forces  member  on  flight- 
line  patrol  responds  to  a  suspicious  event. 
Upon  seeing  an  intruder  enter  through  a 
hole  in  the  fence,  he  or  she  shines  his  flash¬ 
light  on  the  hole  and  begins  to  fix  it  instead 
of  following  and  capturing  the  intruder. 
Currently  the  Air  Force  makes  no  distinc¬ 
tion  between  sophisticated  and  non- 
sophisticated  intrusions,  treating  all 
breaches  equally  and  responding  in  a  way 
that  protects  and  reestablishes  the  health  of 
the  network.  It  does  not  focus  on  assuring 
that  we  can  perform  required  missions  and 
continue  NetOps  despite  adversary  attacks. 

Though  important,  detecting  the  adver¬ 
sary  is  not  the  only  way  to  protect  a  net¬ 
work.  Rapidly  and  regularly  changing  its 
configuration  would  also  offer  protection 
and  would  not  require  detection  of  the  ad¬ 
versary  to  produce  results.4  Additionally, 
we  do  not  advocate  the  end  of  detection 
efforts,  something  critical  to  NetD  opera¬ 
tions  as  we  define  it,  but  the  motivation 
behind  detection  efforts  must  change.  Fi¬ 
nally,  we  concede  that  our  best  perimeter 
defenses  and  patch-management  method¬ 
ologies  fail  to  deter  or  hinder  sophisticated 
adversaries.5  Although  these  methodolo¬ 
gies  are  useful,  we  must  supplement  our 
current  approach  with  one  committed  to 
achieving  effects  against  the  adversary  and 
assuring  mission  success. 
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Principle  2:  NetD  Operations  Are  Successful 
When  a  Compromised  Computer  Is  No 
Longer  Compromised 

This  principle  relegates  NetD  operations  to 
a  maintenance  role  within  the  Air  Force, 
emphasizing  network  health  at  the  expense 
of  determining  the  enemy’s  effect  on  ongo¬ 
ing  or  future  missions.  Furthermore,  we 
rarely  use  a  compromised  computer  to  en¬ 
gage  the  adversary.  In  addition  to  finding, 
analyzing,  and  fixing  compromised  comput¬ 
ers,  NetD  operators  must  contest  the  adver¬ 
sary,  even  on  our  own  networks,  conceiv¬ 
ing  of  and  executing  defensive  strategies 
that  affect  him  while  assuring  the  integrity 
of  priority  war-fighting  missions. 

Because  of  this  principle,  probably  more 
than  its  companion,  we  should  really  define 
the  current  NetD  as  NetOps.  When  an  intru¬ 
sion  occurs  and  we  open  an  "incident,” 
when  do  we  close  it?  Not  when  an  opera¬ 
tion  concludes  but  when  we  consider  the 
computer  free  of  intruders  and  allow  it  to 
rejoin  the  network.  Is  that  success?  No.  We 
should  measure  success  by  combat  effec¬ 
tiveness;  consequently,  we  must  take  mea¬ 
surements  at  the  strategic,  operational,  and 
tactical  levels  to  determine  if  we  are  attain¬ 
ing  NetD  objectives  such  as  deterring  the 
adversary  from  establishing  or  employing 
offensive  capabilities  against  US  interests.6 

A  New  Construct 

We  propose  correcting  these  problems  by 
establishing  operational  units  (of  yet  unde¬ 
termined  sizes)  charged  with  truly  affecting 
adversary  operations  that  target  Air  Force 
and  DOD  networks.  Ttue,  units  in  TVventy- 
fourth  Air  Force  (including  the  688th  Infor¬ 
mation  Operations  Wing  and  the  67th  Net¬ 
work  Warfare  Wing)  are  responsible  for 
executing  the  Air  Force's  cyber  mission; 
however,  no  units  within  Twenty-fourth  Air 
Force  now  do  what  we  suggest  below.  Our 
new  paradigms  will  require  reshaping  exist¬ 
ing  units  and,  possibly,  creating  new  ones. 

The  first  proposed  organization  would 
have  the  inwardly  focused  mission  of  seek¬ 


ing  out  the  adversary  on  Air  Force  and  DOD 
networks.  The  second  would  have  the  out¬ 
wardly  focused  mission  of  engaging  him  on 
those  networks.  Although  both  would  work 
closely  together  (and  with  the  established, 
continuous  network-monitoring  mission), 
they  would  be  set  apart  by  their  commit¬ 
ment  to  planned  missions  or  "sorties” 
linked  to  a  commander's  operational  needs 
and  terminated  upon  completion  of  the 
mission.  At  strategic  levels,  proper  policies 
need  to  endorse  proactive  NetD  strategies 
such  as  targeting  and  engagement.  Next,  at 
the  operational  level,  we  must  develop 
plans  to  address  specific  adversaries  and 
prescribe  approved  courses  of  action  that 
allow  network  defenders  to  realize  unity  of 
effort,  mass,  surprise,  and  timeliness  in 
cyberspace.  Finally,  at  the  tactical  level,  we 
must  train  and  certify  operators  on  NetD 
weapons  that  can  compromise  attacks  or 
thwart  attempts  to  gain  access  to  Air  Force 
networks.  These  organizations  and  plans 
will  allow  the  Air  Force  to  perform  NetD  op¬ 
erations  that  seek,  engage,  and  act  upon  ad¬ 
versaries  in  cyberspace. 

Cyber  Thrgeting 

Clearly,  enemies— specifically  advanced, 
persistent  ones— reside  within  the  Air 
Force  network.  Spearfishing  attacks,  which 
persuade  users  either  to  open  a  malicious 
attachment  or  click  on  a  link  to  a  mali¬ 
cious  Web  page,  breach  perimeter  defenses 
without  difficulty.  The  ease  with  which  an 
adversary  can  gain  access  to  DOD  net¬ 
works  is  outdone  only  by  the  ease  with 
which  he  can  navigate  and  maneuver  after 
establishing  "beachheads”  within  Air  Force 
and  DOD  networks,  both  of  which  actions 
offer  entry  to  high-value  information  or 
systems.  A  proactive  approach,  cyber  tar¬ 
geting  can  identify  intruders  on  our  net¬ 
works  by  using  state-of-the-art  NetD  "weap¬ 
ons”  not  permanently  located  on  the  Air 
Force  network,  along  with  typical  perime¬ 
ter-security  tools.  We  would  conduct  opera¬ 
tions  with  a  specific  objective  in  mind,  find 
the  adversary,  and  then  influence,  disrupt, 
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or  otherwise  affect  him.  An  operation 
would  not  terminate  until  we  have  identi¬ 
fied  the  adversary  and  subsequently  veri¬ 
fied  his  absence,  regardless  of  the  termi¬ 
nating  factor.  These  operations  also 
demand  proper  planning  and  execution 
because  of  the  tremendous  amount  of  le¬ 
gitimate  data  in  cyberspace,  within  which 
the  adversary  hides  to  do  his  work. 

Cyber  Engagement 

Defense  has  always  involved  delaying,  dis¬ 
rupting,  deterring,  or  denying  enemy  objec¬ 
tives.  However,  if  we  assume  the  impossi¬ 
bility  of  completely  stopping  the  adversary, 
then  we  must  consider  ways  to  significantly 
hinder  or  exploit  his  efforts.  (By  "exploit," 
we  mean  achieve  second-  and  third-order 
effects  on  his  decision-making  capacity.) 
Cyber  engagement  makes  the  conscious  de¬ 
cision  to  use  DOD  networks  as  a  path  to  the 
adversary— a  path  for  fulfilling  defensive 
goals.7  Upon  discovering  a  compromised 
computer  or  network,  NetD  operators  no 
longer  would  simply  rebuild  the  system  but 
would  use  intelligence  and  perhaps  other 
NetD  weapons  to  identify  the  intruder. 

Next,  depending  on  the  level  of  attribution 
and  existing  operation  plans  (OPLAN),  they 
woiild  conduct  tactical  operations  against 
the  adversary,  utilizing  the  compromised 
computer  or  network  as  a  launching  point.8 
For  example,  during  an  operation,  the  NetD 
operator  could  intentionally  pass  inaccurate 
information  to  the  enemy  or  manipulate 
exfiltrated  data,  rendering  it  untrustworthy. 
Regardless  of  the  technique  employed,  the 
operator  would  always  try  to  introduce  un¬ 
reliability,  make  intrusions  more  costly,  or 
influence  the  adversary’s  actions.  Conse¬ 
quently,  operators  must  plan  and  coordi¬ 
nate  these  "response  actions”  with  larger 
COCOM  or  national-level  strategies.9  Addi¬ 
tionally,  they  must  deconflict  these  kinds  of 
operations  from  the  day-to-day  monitoring 
of  network  sensors. 

As  discussed  above,  cyber  engagement 
covers  a  spectrum  of  operations,  not  simply 
network  attack.  Engagement  assumes  the 


inability  of  detection  and  protection  efforts 
to  defend  the  network  properly.  Instead  it 
takes  a  different  approach,  one  not  limited 
to  selection  of  a  particular  technology  but 
concerned  with  actions  necessary  to  meet 
defensive  goals.  To  illustrate,  during  a  foot¬ 
ball  game,  the  offensive  players  attempt  to 
reach  the  end  zone,  but  the  defense  tries  to 
stop  them.  Football  defenses  attempt  to 
keep  the  opposing  team  out  of  the  end  zone 
not  only  by  employing  defense  in  depth 
(fielding  a  strong  defensive  line,  lineback¬ 
ers,  and  safeties)  but  also  by  using  different 
schemes  to  confuse  the  quarterback.  For 
example,  one  linebacker  might  rush  the 
quarterback  while  two  others  drop  back  in 
coverage— or  the  defensive  coordinator 
might  call  for  an  all-out  blitz.  Regardless  of 
the  scheme,  good  coaches  know  they  can¬ 
not  always  prevent  the  offense  from  scor¬ 
ing,  but  they  can  make  its  task  difficult  by 
confusing  the  opposing  players,  especially 
the  quarterback. 

With  one  eye  on  this  analogy,  we  would 
have  to  say  that  the  DOD  currently  plays 
defense  without  ever  thinking  about  caus¬ 
ing  confusion  amongst  the  offense.  We  don't 
have  different  defensive  schemes,  nor  do 
we  prepare  plans  for  affecting  the  planning, 
execution,  and,  ultimately,  the  outcome  of 
an  encounter  with  the  enemy.  Instead  our 
defense  stands  at  the  network  perimeter, 
and  we  hope  no  one  gets  by  undetected. 

Cyber  targeting  and  cyber  engagement 
represent  a  significant  paradigm  shift  in 
the  way  we  conduct  NetD  operations.  By 
factoring  in  the  objectives  of  focused 
OPLANs,  we  can  make  NetD  a  stronger 
form  of  fighting  than  network  attack.10  In¬ 
deed,  the  US  Army  has  already  noted  this 
in  more  traditional  defensive  operations.11 
Furthermore,  NetD  can  take  a  more  active 
role  in  network  warfare  while  creating  a 
much-needed  distinction  between  itself 
and  NetOps.  Finally,  these  new  constructs 
support  the  president's  desire  to  go  beyond 
criminal  prosecution  in  responding  appro¬ 
priately  to  cyber  attacks.12 
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A  Simple  Proposal 

Planning  and  preparing  for  large-scale 
military  operations,  such  as  the  invasion  of 
Iraq  in  2003,  require  that  COCOM  OPLANs 
be  routed  through  each  military  service's 
lead  NetD  organization,  thereby  allowing 
network  defenders  to  implement  measures 
against  enemy  targeting  of  DOD  networks 
and  prevent  any  disruption  of  the  OPLAN's 
execution.  Requirements  provided  by  the 
COCOMs  usually  address  generic  threats. 
When  operations  commence,  we  usually 
take  proactive  steps  such  as  blocking  the  ad¬ 
dresses  of  hostile  Internet  protocols. 

In  these  traditional  situations,  we  treat 
the  networks  as  a  support  element.  That 
is,  our  networks  need  to  function  without 
disruption  in  order  for  our  symmetric  war¬ 
fare  capabilities  to  operate— analogous  to 
saying  that  the  fuel  trucks  need  to  function 
so  the  F-16s  can  take  off.  It  is  difficult  to 
contemplate  fighting  on  US  networks,  but 
NetD  operations  must  take  advantage  of 
access  to  enemy  NetOps  and  respond  by 
decreasing  the  credibility  of  stolen  infor¬ 
mation,  increasing  the  cost  of  an  attack  on 
Air  Force  and  DOD  networks,  or  allowing 
the  United  States  to  influence  the  adver¬ 
sary’s  perceptions  prior  to  and  during  all 
phases  of  conflict. 

We  propose  the  following  as  a  way  of 
highlighting  the  utility  of  this  new  con¬ 
struct,  which  truly  thinks  of  NetD  as  a  form 
of  asymmetric  warfare.  Currently,  each 
OPLAN  has  an  appendix  that  addresses 
NetD  requirements.  However,  in  addition  to 
providing  for  preventive  network  protec¬ 
tion,  future  OPLANs  should  identify  the 
systems  critical  to  performing  traditional 
warfare  operations  (e.g.,  logistics  networks, 
command  and  control  nodes,  etc.).  More¬ 
over,  we  should  pinpoint  high-threat  adver¬ 
saries  so  we  can  begin  planning  and  coordi¬ 
nating  cyber  engagement  operations,  and 
we  should  plan  and  execute  targeting  opera¬ 
tions  on  mission-critical  systems  identified 
by  the  COCOM.  However,  this  time  if  we 
discover  the  adversary,  we  should  com¬ 


mence  engagement  operations  to  affect  or 
influence  him. 

TVvo  important  points  merit  emphasis. 
First,  the  adversary  discovered  during  tar¬ 
geting  operations  might  be  entirely  differ¬ 
ent  from  the  one  addressed  by  the 
OPLAN— a  possibility  that  makes  cyber¬ 
space  such  a  challenging  domain  to  domi¬ 
nate.  Second,  targeting  and  engagement  op¬ 
erations  do  not  necessarily  have  to  be 
linked  to  a  specific  COCOM  OPLAN.  We  can 
perform  proactive  targeting  operations  as 
long  as  we  properly  delineate  and  synchro¬ 
nize  them  with  other  operations.  We  should 
consider  performing  engagement  opera¬ 
tions  every  time  we  discover  a  network  in¬ 
trusion,  whether  through  traditional  detec¬ 
tion  techniques  or  targeting  operations. 

Conclusion 

According  to  the  67th  Network  Warfare 
Wing,  "The  bottom  line  is  that  the  Air 
Force  must  transition  from  a  detection¬ 
centric  orientation  to  an  active  network 
kill  chain  approach  which  integrates  pre¬ 
vention,  detection,  response,  and  adver¬ 
sary  engagement.”13  This  vision  cannot 
come  to  fruition  without  organizing  and 
tasking  NetD  operational  units  to  change 
their  operational  constructs  from  a  reactive 
approach  (monitor,  detect,  and  respond)  to 
one  that,  as  recently  described  by  Lt  Gen 
William  T.  Lord,  "seek[s]  out  threats  and  .  .  . 
detectfs]  and  defeat[s]  them  instanta¬ 
neously.”14  We  cannot  do  this  in  isolation. 

We  need  purposeful  planning  and  coordina¬ 
tion  with  intelligence  and  national-level 
agencies.  Furthermore,  the  creation  of  US 
Cyber  Command  should  help  ensure  that 
services  act  under  the  authority  and  direc¬ 
tion  of  a  COCOM.  The  cyber  targeting  and 
cyber  engagement  constructs  truly  "opera¬ 
tionalize”  NetD  since  they  focus  squarely  on 
acting  upon  and  affecting  the  adversary.  In 
the  future,  we  should  pay  comparable  atten¬ 
tion  to  mission  assurance  (i.e.,  continuing 
operations  despite  enemy  attacks),  an  area 
that  prevents  the  complete  separation  of 
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NetD  and  NetOps.  However,  we  cannot  ad¬ 
equately  address  it  without  planning  and 
very  good  intelligence.  The  DOD  spends 
$100  million  every  six  months  to  defend  the 
.mil  network.15  At  some  point,  we  must  ask 
ourselves  whether  we  are  reaching  our  de¬ 


fensive  goals  and  deterring  adversaries.  To¬ 
day,  we  are  not,  but  by  operationalizing 
NetD  and  concentrating  on  affecting  the 
enemy,  we  can  reverse  this  trend  so  that 
the  Air  Force  can  fight  back.  © 

Lackland  AFB,  Tbxas 
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